From 4e7ce28623042af6a4d7c68393c0602ec8b0c0bc Mon Sep 17 00:00:00 2001 From: Alban Bedel Date: Wed, 27 Sep 2017 16:01:35 +0200 Subject: [PATCH] rtpvorbisdepay: fix unbounded memory usage All received configurations are parsed and added to a list, this lead to an unbounded memory usage. As the configuration is resent every second this quickly lead to a large memory usage. Add a check to only add the config if it is not already available in the list. This fix only handle the typical case of a well behaved stream, a malicious server could still send many useless configurations to raise the client memory usage. --- gst/rtp/gstrtpvorbisdepay.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/gst/rtp/gstrtpvorbisdepay.c b/gst/rtp/gstrtpvorbisdepay.c index 762750a0a3..d3618b975a 100644 --- a/gst/rtp/gstrtpvorbisdepay.c +++ b/gst/rtp/gstrtpvorbisdepay.c @@ -134,6 +134,22 @@ gst_rtp_vorbis_depay_finalize (GObject * object) G_OBJECT_CLASS (parent_class)->finalize (object); } +static gboolean +gst_rtp_vorbis_depay_has_ident (GstRtpVorbisDepay * rtpvorbisdepay, + guint32 ident) +{ + GList *walk; + + for (walk = rtpvorbisdepay->configs; walk; walk = g_list_next (walk)) { + GstRtpVorbisConfig *conf = (GstRtpVorbisConfig *) walk->data; + + if (conf->ident == ident) + return TRUE; + } + + return FALSE; +} + /* takes ownership of confbuf */ static gboolean gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay, @@ -228,6 +244,13 @@ gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay, if (size < length && size + 1 != length) goto too_small; + if (gst_rtp_vorbis_depay_has_ident (rtpvorbisdepay, ident)) { + size -= length; + data += length; + offset += length; + continue; + } + /* read header sizes we read 2 sizes, the third size (for which we allocate * space) must be derived from the total packed header length. */ h_sizes = g_newa (guint, n_headers + 1);